Pages

Search This Blog

Translate

Search Tool




Mar 3, 2020

Analysis | The Cybersecurity 202: Super Tuesday will be big test for security of Los Angeles County's new voting machines

By Joseph Marks



Voters prepare their ballots in voting booths during early voting for the California presidential primary election at an L.A. County 'vote center' on March 1, 2020 in Los Angeles, California. (Photo by Mario Tama/Getty Images)
THE KEY
Today’s Super Tuesday contest will mark a critical test for the brand new voting machines that Los Angeles County had custom built in the hopes voting could be easy and accessible for its 5.2 million residents.
But as security concerns persist, it may also be judgment day for the strategy to try to wrest control of voting technology from the stranglehold of a handful of major vendors experts say can't be trusted in an era of Russian hacking.
The county poured $280 million into the machines, a rare example of a system not built by any of the three companies that control more than 90 percent of the U.S. voting machine market, as my colleague Neena Satija and I report. The county even planned to offer its software, which produces ballots with paper records in more than a dozen languages, free to other jurisdictions that also wanted to break free of the big vendors.
Yet an official review contracted by California’s top election office in December uncovered numerous digital and physical flaws and sparked fears among security advocates that the vote could be compromised.
“We may be witnessing something like the emperor’s new clothes,” Susan Greenhalgh, vice president of policy at the National Election Defense Coalition advocacy group, told us. “We’ve been told that this is so great and so expensive and so fabulous for the past 10 years. And when it actually had to see the light of day and get scrutinized by some independent testers, it didn’t come close to meetingexpectations.”
The debut of the new machines in L.A. was especially enticing since states and counties across the country are struggling to figure out the best way to protect elections against foreign interference – and how to spend their state taxpayer dollars and federal assistance on technology as security advocates warned the old guard of voting machine vendors isn't transparent or nimble enough to guarantee security.
But the poor report card for the effort by the largest county in the nation, with massive resources, may have them questioning whether it’s worth going this route.
An image of the ballot-marking device developed by Los Angeles County.
The security problems – which the county’s Registrar of Voters Dean Logan told us were all remedied or mitigated before today’s primary contest – include a flaw that could allow hackers to insert malicious software into vote-tallying machines using a USB drive and inadequate physical security around both the voting machines and boxes used for transferring ballots.
The machines, dubbed Voting Solutions for All People or VSAP, also lack full-disk encryption – a cybersecurity gold standard – that won’t be added before 2021, officials said. And there’s no word on when the county will release its software code to other jurisdictions that want to follow its lead, though Logan told us that’s still the plan.
The concerns come as top government officials warn that Russia and other U.S. adversaries remain eager to undermine the 2020 election even though they haven’t yet identified “any activity designed to prevent voting or change votes.”
Officials renewed those warnings yesterday with a joint statement from top intelligence, law enforcement and cybersecurity officials sounding an alarm about adversaries’ efforts to “spread false information and propaganda about political processes and candidates on social media in hopes to cause confusion and create doubt in our system.”
Logan, who led development of the system, defended it in an interview, saying the issues critics raise are to be expected for a bold system that was built from scratch.
“Given the time frame and the dynamics that we had to work under, I don’t think it’s particularly surprising or shocking,” he said. “It’s an entirely new and innovative way to deploy a voting system, and it’s more complex and challenging than any other election jurisdiction in the country.”
He also accused critics of reflexively attacking the system because it’s new, adding that “that’s why we’ve been stuck for decades on the limited voting systems we have in this country.”
Indeed, the system has become fodder for critics of ballot-marking devices – a category of touch screen voting machines like the VSAP that also produce paper ballots for voters to review. BMDS have become far more common since 2016 when election officials across the nation shifted to paper-based voting systems that are more secure against hacking – but many cybersecurity experts say they’re less secure than hand-marked paper ballots.
L.A. County has made a number of fixes ahead of today's primary. In addition to patching vulnerabilities, the county increased training for poll workers and voter education, and it has placed tamper-evident seals and protective covers on some equipment.
The secretary of state’s office also required the county to provide a paper ballot option for voters who don’t want to use the new machines. But the paper ballots do not list the candidates or the specific races, meaning voters must write all of their choices in by hand, raising the possibility of ambiguous responses that could confuse election results.
L.A. County began the process of replacing its antiquated legacy voting machines back in 2009 – long before the election world was upended by Russia’s 2016 hacking and disinformation operation, which included digitally probing voting systems across the country and penetrating databases in Illinois and at least two Florida counties.
The county’s development contract with its vendor Smartmatic, however, promised that California’s cybersecurity and accessibility standards for voting systems – some of the strictest in the nation – would be “woven directly into the DNA” of the new system. That didn’t happen, according to the report commissioned by the California secretary of state’s office and conducted by the consulting firm Freeman, Craft, McGregor Group.
In addition to the digital and physical security concerns, the report highlighted a messy ballot design that requires voters to scroll through multiple pages to review all the candidates for some races. That has already prompted a lawsuit from the city of Beverly Hills, which says it’s unfair to candidates on the second page.
“It’s a great concept, but it has a fatal flaw in that it does not provide the electorate with an objective view of the election,” Julian Gold, a Beverly Hills City Council member who will appear on the ballot, said in an interview. “When was the last time you [got] to Page 2 of a Google search?”
Here’s a full rundown on what to expect on Super Tuesday from my colleagues Amy Gardner and Elise Viebeck.

PINGED, PATCHED, PWNED

An “I Voted” sign points to a polling station. (Richard Vogel/AP)
PINGED: At least 50 election-related websites for counties and towns voting today have security problems that make them especially vulnerable to cyberattacks, a review by Jack Gillum at ProPublica found. The sites are in districts that serve about 2 million voters. The vulnerabilities, which include outdated software and poor encryption, raise concerns that Russian hackers could sow chaos by changing election night tallies or taking sites offline during critical reporting periods.  
Several localities said they would fix their websites after ProPublica contacted them. But others said they had no plans to make fixes before today’s primaries.
That includes Richmond, the Virginia capital that represents more than 153,000 voters, which is still running on a 2003 version of Microsoft’s Windows operating system that the company is no longer issuing routine patches for. Richmond officials said they’re still getting periodic updates from Microsoft meant to plug major security holes.
“We are absolutely prepared to protect the integrity of our elections and have taken significant steps to do so,” Richmond spokesman Jim Nolan said.
None of the election offices contacted by ProPublica reported that their sites had been hacked. But U.S. intelligence agencies warn foreign adversaries are eager to compromise the election, and attacking county websites is “in the playbook,” one senior U.S. official told Jack.

A Huawei logo is seen on the side of a building at the headquarters in Shenzhen, China. (Jason Lee/Reuters)
PATCHED: Internal Huawei documents reviewed by Reuters add meat to long-standing charges that the Chinese telecom has violated U.S. sanctions against Iran, Steve Stecklow at Reuters reports.
The new documents relate to a multimillion-dollar Iranian telecommunications project that figures prominently in an ongoing U.S. criminal case against Huawei and its chief financial officer, Meng Wanzhou. The documents, which aren’t cited in the criminal case, could bolster a campaign by U.S. officials to get allies to ban Huawei equipment from their next-generation 5G wireless networks.
Huawei has pushed back against numerous U.S. charges, including that it’s complicit in Chinese government spying and dodged sanctions to sell U.S. equipment to Iranian telecom carriers.
But the new documents  show the company sold more than 300 cases of U.S. computer equipment, including HP goods, to an Iranian telecom provider.
A Huawei spokesman declined to comment, citing the ongoing legal case.

A North Korean flag flies before missiles displayed during a military parade to mark 100 years since the birth of Kim Il Sung in Pyongyang. (Eed Jones/AFP/Getty Images)
PWNED: U.S. prosecutors indicted two Chinese citizens for allegedly helping North Korean hackers launder at least $100 million in stolen virtual currencies, my colleagues Spencer S. Hsu and Ellen Nakashima report. The charges could signal that U.S. officials are turning up the heat on long-suspected Chinese involvement in North Korean hacking operations.
The indictment is the first known case of U.S. officials charging Chinese citizens for aiding North Korean hacking. The Treasury Department also imposed sanctions on the two Chinese men, Tian Yinyin and Li Jiadong, yesterday.
U.S. officials and the United Nations have accused North Korea of stealing bitcoin and other virtual currencies as a way to circumvent global sanctions and fund its renegade nuclear program. U.N. officials estimate North Korean hackers have stolen at least $2 billion for its weapons program by hacking financial institutions and cryptocurrency exchanges in recent years.
Want the latest reporting on the coronavirus? Sign up for “To Your Health: coronavirus” a new Washington Post newsletter that will bring you everything you need to know about the spread of the coronavirus in the U.S. and abroad.

PUBLIC KEY

Cybersecurity news from the public sector:

WhatsApp users in Nigeria, Brazil, Pakistan, Ireland and other countries have received a wave of falsehoods about the number of people affected by coronavirus, the way the illness is transmitted and the availability of treatments.
Tony Romm

Outside security researchers alerted the Pentagon about more software vulnerabilities in its networks than ever before, according to statistics released by a Department of Defense unit focused on cyber operations.
CyberScoop

PRIVATE KEY

Cybersecurity news from the private sector:

Pharmacy chain Walgreens is alerting customers that their prescription data and other information may have been exposed thanks to a flaw in the company’s messaging app.
CyberScoop

Two units of cruise operator Carnival Corp disclosed on Monday that they were th...
Reuters

Beyond the spotlight of the cybersecurity industry’s IPO-fueled paydays and reputation-making research lives the slow burn of daily anxiety. In just about every industry, mental health is overlooked and under-appreciated. But in cybersecurity, “it’s even more stigmatized,” according to psychiatrist Ryan Louie.
CyberScoop

THE NEW WILD WEST

Cybersecurity news abroad:

Facebook has removed hundreds of accounts, pages, groups and Instagram accounts originating from India and Egypt for violating Facebook’s policy against foreign or government interference.
CyberScoop

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.
ZDNet

In mid-February, country representatives convened at the United Nations to hold the second formal meeting of the Open-Ended Working Group on international cybersecurity
CFR

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.